Menlo Security recognized as leading enterprise browser company in GigaOm’s ZTNA report.
Icon Rounded Closed - BRIX Templates

How Legacy URL Reputation Evasion (LURE) attacks easily bypass current security tech


Whether it’s the push for fully remote work, in-office work, or a hybrid workstyle, the conversation around how and where employees will work continues. But guess what? To cybercriminals, this conversation doesn’t really matter. Not one bit. That’s because no matter where today’s enterprise worker resides and where the work is happening geographically, it’s happening digitally within a web browser. Today, the web browser is the go-to tool to get work done. It’s transformed how we communicate, work, and entertain ourselves. Its significance is undeniable.

The significance of the browser is, likewise, undeniable to attackers. And they are employing evasive techniques when attacking enterprise systems and data via social engineering and vulnerabilities found within web browsers. We’ve recently covered some methods, including HTML smuggling, malicious password-protected files, and MFA bypass attacks. Yet, these aren’t the only evasive attack techniques the Menlo Labs research team has been tracking.

Another such attack is what’s known as legacy URL reputation evasion (LURE) attack. LURE attacks are designed to – and successfully do – bypass web filters used to defend enterprise users from visiting malicious or compromised websites. They work primarily based on rating a website’s reputation and blocking users from reaching sites with a bad one. Attackers are now gaming this system to their advantage. LURE attacks are on the rise. Based on an analysis of Menlo customer data by the Menlo Labs research team, there has been a 70% increase from July 2021 to July 2022.

What are LURE attacks?

LURE attacks are used by threat actors to evade web filters that attempt to categorize domains based on trust. By successfully infiltrating trusted websites with malware, attackers can effectively evade URL filtering security defenses. The threat actors, in turn, use the malware-infected websites to compromise endpoints and snatch user credentials.

For more targeted attacks, threat actors may even go as far as to build new websites and leave those sites to operate on the web benignly so that they gain a good reputation over time. Eventually, they’ll flip the behavior of these websites to launch their attack campaigns and take URL categorization engines by surprise. They’ll also lure victims to these sites through spear-phishing emails.

Attackers also flip the use of traditionally defensive measures, such as CAPTCHAS, to improve their chances of success. While CAPTCHAS were developed to help authenticate human users from API bots, threat actors now use this technology to block web categorization crawlers and hide their true site nature from such categorization crawlers.

These different LURE examples can be used to publish phishing pages, execute browser exploits, and deliver malicious files to user endpoints.

How LURE attacks defeat traditional web filters

Because LURE attacks evade traditional web filters by quickly flipping benign and trusted websites to malicious websites, these attacks tend to compromise a large pool of unsuspecting users swiftly. While web and DNS filters efficiently block already known malicious websites, the categorization engines and deny lists within these technologies don’t work swiftly enough to block the initial waves of LURE attacks.

These URL filters — traditionally the first line of defense — when attempting to determine if a site is good or bad based on the reputation of the URL have been effective for more than two decades. Unfortunately, attackers have learned their way around these defenses. But these defenses were designed for a time when criminals would create a malicious website, host malware on it, and then do their best to drive traffic to that site. Once the nature of the website was determined, URL filters would stop these attacks by blocking those URLs.

Threat actors have evolved their techniques through evasive LURE attacks to become more effective than these filters. And they’re not done refining their LUREs. They continue to create their supply of websites with good reputations that they will eventually flip into sites that will launch effective LURE attack campaigns.

For these reasons, we categorize LURE attacks as Highly Evasive Adaptive Threats (HEAT).

HEAT attacks have grown in popularity among threat actors with the rise of cloud services and software-as-a-service applications. Cloud services, accessed by a web browser because of their very nature, make the browser the ideal target for digital attacks. And since traditional security tools were designed to defend applications installed on endpoints and traffic that flows across local networks, they are less than effective when protecting data and connections within the browser.

According to Palo Alto Networks, 90% of phishing kits use evasive techniques that render traditional web security useless.

Real-world examples of LURE attacks

There are numerous recent examples of LURE-style HEAT attacks occurring. Earlier this year, news broke of an “aggressive threat actor” targeting the finance and healthcare industries with SEO poisoning tactics and malware known as “Gootloader.”

“The actors create websites or populate web forums or similar websites with specific keywords and links, leading to a website hosting the infected file,” SC Magazine quoted researchers as stating.

In another recent attack, the tech news site BleepingComputer provided an analysis of a phishing campaign that utilized malicious Google ads to place phishing site results in Google search results. The attackers targeted Amazon Web Services (AWS) login credentials.

Thanks to effective SEO, the malicious ads ranked second when searching “AWS.” Users were directed to a blogger's website when they clicked on one of the malicious ads. In this LURE attack, the websites hosted what appeared to be an authentic AWS login page.

Similarly, notorious groups such as the North Korean state actor Lazarus Group have been seen to use LURE attacks. There has also been the VIPER spear-phishing campaign, the Qakbot campaign, and other nation-state threat actors using LURE-style attacks.

These attacks are becoming pervasive, with 50% of HEAT attacks emanating from categorized websites out of more than 5 million malicious URLs analyzed by Menlo Labs.

How to prevent LURE attacks

To effectively defend against HEAT attacks, such as LURE attacks, enterprises must improve the security of their user’s web browsers. By running the actual execution of events within the web browser, such as with browser isolation technologies, enterprises can monitor the actual events occurring inside web traffic, such as obfuscated JavaScript code, and identify any HEAT attacks before they can do damage.

Also, with browser isolation technologies used to analyze browser activity and determine malicious intent, a dynamic security policy can be invoked to prevent the threat from reaching the end user’s browser. Document-specific security policies can also be applied to HEAT downloads (viewed or downloaded in an isolated mode that protects the end user from risks.)

Enterprise security teams must understand how to defend their users, systems, and data from HEAT attacks such as LURE. Because whether the workforce works remotely, on-site, or a little bit of both, it doesn’t matter to attackers — they’re going to target where workers are always doing their work: and that’s their web browsers.

Menlo Security

menlo security logo
linkedin logotwitter/x logofacebook logoSocial share icon via eMail